Embed Size (px)
Citation preview
SECURITY CONSIDERATIONS IN RFID BASED SUPPLY CHAIN MANAGEMENT SYSTEMSBinod Vaidya
EECS, Univ. of Ottawa
WiSense Seminar 17 May 2012
Outlines• Overviews• RFID based Supply Chain management System• Threats and attacks• Non-PKC schemes• PKC based schemes• GPS scheme• Authenticated Supply chain system• Security analysis• Efficiency analysis• Performance evaluation
RFID Overviews• Radio Frequency Identification (RFID) technology is
promising technology in ubiquitous computing area. • RFID is used for various applications, ranging from
inventory systems to supply chain management solutions• Three types of RFID tags, all of which can either be read-
write or read only. • Passive Tags - simply store data and draw power from a reader
whose electromagnetic wave induces a current in the tag’s antenna for short-range communication (up to 10 m).
• Semi-passive Tags - use an integral battery to run the chip’s circuitry but draw power from the reader to communicate.
• Active Tags - are capable of communicating over greater distances (up to 100m) but are currently far more expensive.
RFID based Supply chain management
• A supply chain represents the flow of materials, information, and finance as they move through supply chain partners such as manufacturers, suppliers, distributors, retailers, and consumers.
• Objective of supply chain management is to increase long-term performance of individual companies and overall supply chain by maximizing customer value and minimizing costs.
• In supply chain management system, RFID tag is used to identify the object, to which it is attached, without any physical contact in various locations.
RFID based Supply chain management
• Benefit of EPC code is primarily derived from the ability to automatically pin-point the exact location of goods. • Enhance supply-chain control. As the location of a part can be
identified at every transfer point with accuracy, the whole supply-chain can be controlled.
• Security and authentication. A RFID tag can be written with an identifier chosen by the enterprise. This unique identifier can be used to authenticate a part or a document. RFID technology also supports various security models so that a tag cannot be easily duplicated or forged.
• Enhanced customer service. RFID technology can promote customer service by allowing faster check-outs, returns, and personalization of service.
RFID based Supply chain management
• RFID will have a significant impact on every facet of supply chain management • moving goods through loading docks, • managing terabytes of data as information about goods on hand is
collected in real time.
• RFID has potential to dramatically improve supply chain • reducing costs, inventory levels, stock outs and shrinkage rates;• increasing throughput, quality, manufacturing flexibility, • enhancing inventory visibility, inventory record accuracy, customer
service, and collaboration among supply chain partners.
RFID based Supply chain management
• Applications fall in manufacturing, warehousing/distribution centers, logistics, suppliers and retailing environments.
Threats and Attacks• RFID tags clone occurs in the form of cloned tags on fake
products or clone tags on genuine product.• RFID tag is a cloned when the tag identification number (TID) and
the form factors is copied to an empty tags. Hence there will be a same tags data structure on two different products.
• Fraud is an act of using the cloned tags and adding the serial numbers of EPC codes.
• Counterfeiting is a more generalised term which includes both the act of cloning and fraud of RFID tags and tagging onto fake products in the market for personal benefit.
Threats and Attacks• Counterfeiting product
Threats and Attacks• Typical attacks on tags and readers.
• Impersonation attack occurs when attacker masquerades as a valid tag and thereby gains an illegitimate advantage. Tag cloning is a kind of spoofing attack that captures the data from a valid tag.
• Skimming attack occur when RFID tag are read directly without anyone knowledge.
• Eavesdropping attack happens when an attacker sniffs the transmission between the tag and reader to capture tags data.
• Man-in-the-middle attack occurs when a fake reader is used to trick the genuine tags and readers during data transmission. RFID tag data could also be altered using this technique and as a result, fraud tags could be generated too.
• In replay attack, valid RFID signal is intercepted and its data is recorded; this data is later transmitted to a reader where it is "played back." Because the data appears valid, the system accepts it
Threats and Attacks• Denial of Service (DoS) attack is occurred by disabling the system
by sending excessive messages or simply shielding the RFID device to keep it from operation. Moreover, attackers can intercept transmitted information and cause the tag and the database unable to update their information synchronously thus fails the following authentications and accesses.
• Physical attack which requires expertise and expensive equipment takes places in laboratory on expensive RFID tags and security embedded tags.
Non-PKC based Schemes• Non-PKC-based RFID systems
• Some use of simple bit-wise operations, like XOR, AND, OR, and rotation,
• Some support cyclic redundancy code (CRC) and pseudo random number generator (PRNG), like the EPCglobal Class-1 Gen-2 RFID standard,
• Some adopt one-way hash functions, random number generating functions, or symmetric-key encryptions.
• However, robustness of non-PKC-based RFID solutions using only simple bit operations, CRC, and PRNG are easily challenged.
• Usually suffer from the scalability problem.
PKC based Schemes • Suitability of Public-Key (PK) algorithms for RFID is open research
problem as limitations in costs, area and power are quite severe.• Two foremost varieties of RFID identification protocols using public
key cryptography (PKC). • First type, introduced by Shamir, relies on variation of the Rabin cryptosystem.
• SQUASH by Shamir and in WIPR by Oren and Feldhofer.
• Second one uses a token-based approach where pre-computed tokens, coupons are stored on the tag. The tag, when queried, uses up these coupons to authenticate itself to the reader.• Coupon-type scheme is RFID-optimized implementation of the GPS protocol.
• Rabin cryptosystem-type schemes do not have any limitation on the number of authentications, but they are susceptible to several active attacks.
• Even though coupon-type approach is quite simple, it can be easily rendered useless by a malicious reader through the simple exhaustion of coupons - a type of DoS attack.
Schnorr type Public key Identification Schemes
• Schnorr protocol is a well-known identification protocol. • Public key scheme that allows entity authentication using a zero-
knowledge proof-of-knowledge, i.e. the second party does not learn anything about the used secret.
• GPS scheme was proposed by M. Girault et al. which provides faster authentication. • On-tag GPS computation reduces to simple integer computation of
the response from the tag with the challenges provided by the reader. This is a regular integer computation consisting solely of a multiplication and a subtraction.
• GPS scheme may be well-suited to constrained environments.
GPS Identification Scheme• GPS is a zero-knowledge authentication protocol that allows small hardware
implementations of the prover wanting to assure its identity. • GPS scheme is standardized within ISO/IEC 9798-5 [12]• Of particular practical interest are a series of optimizations that are designed to ease the
computation and storage costs. • One important optimization is the use of coupons.
• These variants are mainly based on complete (full) coupon, or partial coupon or coupon-re-calculation
• Coupons can be pre-calculated• These coupons can be stored in the internal memory of RFID tags or can be transferred by the verifier
during an authentication process. • Due to the use of coupons, the authentication of the tag can be performed "on-the-fly" and much faster.
• GPS variant using elliptic curve operations that uses pre-computed coupons and allows smaller keys.
• McLoone and Robshaw replace the modular exponentiation with a coupon and a simple integer (non-modular) calculation.
• Use PRG to help re-generate the random number inside the coupon. • PRG takes about 1000 gate equivalences on the tag, but drastically reduces coupon sizes. • With PRG, the implementation fits on no more than an estimated 1500 gate equivalences, and 10 such
reduced-sized coupons take up approximately 500 GEs, for a total of 2000 GEs.
GPS Identification Scheme• EC-GPS
GPS Identification Scheme• Limitations of GPS protocol
• 1) Timing attack: • While applying this attack, the attacker impersonates the verifier,
and is able to measure precisely the computation time for the commitment step.
• 2) Denial of service (DoS) attack: • DoS attack is preformed when an adversary wants to make the
prover unusable by any means.• GPS identification scheme with stored pre-computed coupons is
vulnerable to DoS attack since a prover has to utilize its coupon to perform verification.
• With limited number of coupons available, an adversary can exhaust all the coupons almost instantaneously.
• The prover will no longer be able to successfully perform the protocol.
GPS Identification Scheme• 3) Stolen coupon attack:
• A malicious user may illegally acquire stored coupons in a RFID tag to perform following attack.
• He can learn X, c, and y by eavesdropping continuously traffic flows between the prover and the verifier. Then he can conduct offline computations to resolve corresponding r from the obtained X, and compute s after knowing r, c, and y. Accordingly, the adversary can easily disclose private key s.
Authenticated Supply Chain System• Authenticated supply chain system
• Uses a tag digital signature to ensure that the tag is genuine to a specific manufacturer and is not counterfeit.
• Uses Improved EC-GPS to provide tag authentication.
• Design is primarily motivated by the identification of three key roles associated with design and operational usage of the Authenticated supply chain system. These roles are:• Manufacturer. The Manufacturer is the initiator, that provides a tag
digital signature in tag. • Intermediate supply chain partners. They are supply chain partners
on the route and have authenticated RFID reader to verify tag digital signature.
• Consumers. Consumers are end-users of Authenticated supply chain system. They have authenticated RFID reader to verify tag digital signature.
Tag Digital signature• Signature:
• To sign a message m, a user with secret key s chooses a randomly and computes R = a.P.
• Derive a signature is σ = (R, z), where• z = a + s.H(m, R).
• Verification: • Given a message m, signature σ = (R, z) and a public key V, one
checks if • z.P = R + H(m,R)V
Improved EC-GPS • Operation of Improved EC-GPS
Improved EC-GPS • Pre-computation phase
• A tag can pre-compute a set of coupons off-line and securely store them in the memory for further computation.
• Protocol Run• RFID tag selects two coupons (rj, Xj) and (rk, Xk) and computes
commitment = h(Xj + Xk), then sends to the RFID reader
• RFID reader randomly selects challenge c and sends to tag.• After receiving challenge c from the verifier, the prover will compute
the response y as follows:• = rj + rk
• y = – c.s• Tag will send the response y to the verifier (ie reader).
• After receiving it, Reader will verify the result as follows:• =? h(y.P + c.V)
Security Proofs
If the verification equation holds, the verifier (ie reader) shall confirm that the prover (ie tag) is genuine.• • = h(y.P + c.V)• • = h(( – c.s)P + c.s.P)• = h(((rj + rk) – c.s)P + c.s.P)
• = h(rj P+ rk P – c.sP + c.s.P)
• = h(rj P+ rk P)
• = h(Xj + Xk)
Security Analysis
• 1) Impersonation attack: • If adversary tries to impersonate a tag, he needs to know private key s and
commitments (ri, rj) to compute valid response y. Deriving s and (ri, rj) are not feasible due the intractability of the ECDLP.
• 2) Man-in-The-Middle (MiTM) attack: • If attacker can perform MiTM attacks in RFID supply-chain system then he
has to be capability for capturing and modifying all communication flows between the tag and the reader. However the proposed schemes can resist MiTM attacks since the adversary cannot derive the sensitive information (ie., ri, rj, s ) from the message flows (ie, , c, y). Even though he modifies the message flow, it will be detected during verification process.
• 3) Denial of Service (DoS) attack: • The adversary can perform DoS attack in order to exhaust stored coupons
in short period of time. However, in the proposed schemes, since coupons are reusable, commitment is computed such a way that the adversary could not be able to drain the stored coupons.
Security Analysis• 4) Timing attack:
• The proposed schemes can resist timing attack as both schemes have set of pre-computed coupons in the memory.
• 5) Stolen coupon attack: • The proposed schemes are capable for resisting stolen coupon attack.
Even though the adversary manages to obtain all message flows (, c, y), he would not be able to derive (ri, rj) from the obtained information because the proposed schemes use point addition operation and one-way hash function for the computation of .
• 6) Eavesdropping attack: • Since the communicating parties have secret session key to encrypt all
the communications between them, the proposed schemes can prevent from eavesdropping attacks.
• 7) Anti-counterfeiting: • Use of a tag digital signature, it can prevent from counterfeiting.
Efficiency Analysis• Commitments vs number of coupons
Efficiency Analysis• Computational overheads of EC-GPS and iEC-GPS
Performance Evaluation• Simulation using OPNET• RFID based Supply chain management system with Tag
and Reader• Evaluation of PKC based authentication schemes for
RFID based SCM• Using EC-GPS• Using iEC-GPS
Performance Evaluation• Attacker Models: Attackers emerge for certain time and
intentionally deplete the stored coupons in the user during that period of time.
• For the experiment, two models are used as follows.• Naive-attacker: In this model, an attacker endeavors to be naïve,
that means, after receiving the response from the user, the adversary will wait for some time to send a next round of authentication request to the user as if it is verifying the response.
• Aggressive-attacker: In this model, an attacker is aggressive. In the sense, the attacker will not wait for the response verification time and swiftly send the authentication request to the user.
Performance Evaluation• Performance Metrics: We have considered several
imperative performance metrics in the experiment.• Authentication success ratio: Ratio of authentication requests that
are concluded successfully with respect to the total number of requests.
• Authentication latency: It is defined as end-to-end time required for successful authentication.
Results and Analysis
• Success rate vs attack attempt rate• Native attack model
• Aggressive attack model
Results and Analysis• Authentication latency vs number of attempts
Conclusion• RFID based supply management system• Non-PKC vs PKC• Limitation of GPS scheme• Proposed Authenticated SCS
• Tag digital signature• Improved EC-GPS
• Security and efficiency analysis• Performance analysis of EC-GPS and iEC-GPS
• iEC-GPS is more robust than EC-GPS
•Thank you
